Last Friday someone was able to access the Oldsmar, Florida water treatment facility computer system and adjust the levels of sodium hydroxide, aka lye, that would be added to the water. The Tampa Bay Times has the details:
Local and federal authorities are investigating after an attempt Friday to poison the city of Oldsmar’s water supply, Pinellas County Sheriff Bob Gualtieri said.
Someone remotely accessed a computer for the city’s water treatment system and briefly increased the amount of sodium hydroxide, also known as lye, by a factor of more than 100, Gualtieri said at a news conference Monday. The chemical is used in small amounts to control the acidity of water but it’s also a corrosive compound commonly found in household cleaning supplies such as liquid drain cleaners.
The city’s water supply was not affected. A supervisor working remotely saw the concentration being changed on his computer screen and immediately reverted it, Gualtieri said. City officials on Monday emphasized that several other safeguards are in place to prevent contaminated water from entering the water supply and said they’ve disabled the remote-access system used in the attack.
The Pinellas County Sheriff’s Office is investigating, along with the FBI and the Secret Service, Gualtieri said.
Nobody has been arrested, Gualtieri said, though investigators have some leads. They do not know why Oldsmar was targeted, he said.
Though some cities obtain water through Pinellas County, Oldsmar provides water directly to its businesses and roughly 15,000 residents, Gualtieri said. The computer system at the water treatment plant was set up to allow authorized users to remotely access it for troubleshooting.
A plant operator was monitoring the system at about 8 a.m. Friday and noticed that someone briefly accessed it. He didn’t find this unusual, Gualtieri said, because his supervisor remotely accessed the system regularly.
But at about 1:30 p.m. the same day, Gualtieri said, someone accessed the system again. This time, he said, the operator watched as someone took control of the mouse, directed it to the software that controls water treatment, worked inside it for three to five minutes and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million.
The attacker left the system, Gualtieri said, and the operator immediately changed the concentration back to 100 parts per million.
“At no time was there a significant adverse effect on the water being treated,” the sheriff said. “Importantly, the public was never in danger.”
Even if the operator hadn’t caught it, he said, it would have taken more than a day for the water to enter the water supply.
“The protocols that we have in place, monitoring protocols, they work — that’s the good news,” said Oldsmar Mayor Eric Seidel. “Even had they not caught them, there’s redundancies in the system that would have caught the change in the pH level.
“The important thing is to put everyone on notice,” he said. “There’s a bad actor out there.”
Much more at the link, including a profound statement by Florida’s senior senator Micro Rubio.
Malcolm Nance immediately jumped to conclusions:
WARNING: A Remote access hack occurred Friday at a water treatment plant in Florida were someone remotely operated the computer controls, while staff watched and attempted to raise the amount of LYE chemicals in the water 1,000%. Both Russia & Iran have tried this before. https://t.co/D11RMlrwGL
— Malcolm Nance (@MalcolmNance) February 8, 2021
ALWAYS BET ON BLACK: Predicted? No, but I did write several warnings on Russian remote seizure attacks that seem almost identical to the Florida incident in @hackamericabook Page 102 … in 2016. Also see @TAPSTRIMEDIA & my 2015 book #HackingISIS. #GoRead https://t.co/Y8QnzYf3MO pic.twitter.com/lxXIociBME
— Malcolm Nance (@MalcolmNance) February 8, 2021
These conclusions were then picked up and broadcast to everyone by Rachel Maddow on her show this evening.
I know a little something about Oldsmar, Florida. Largely because the Balloon Juice Bunker compound in the cypress scrub is adjacent to Oldsmar. For lack of a better geographic locator, since the post office refuses to recognize Balloon Juice Bunker Compound, Cypress Scrub, FL, USA as a legitimate address*, I ACTUALLY FUCKING LIVE IN OLDSMAR!!!! And I can honestly say NO ONE WHO DOESN’T LIVE IN OLDSMAR OR NORTH PINELLAS COUNTY OR WESTERN HILLSBOROUGH COUNTY OR SOUTHERN PASCO COUNTY OR KNOWS SOMEONE WHO DOES EVEN KNOWS THERE IS AN OLDSMAR, FL!!!!!!
You can sneeze across Oldsmar if the wind is blowing the right way. Oldsmar is about a dozen stoplights running north-south and east-west at the northwestern most point of Tampa Bay. It got its name because RE Olds and his family had their winter home here, which they named Oldsmar. As in Olds by the sea. Or the sea of the Olds. And given the amount of venerable elders, Olds by the sea is an appropriate name!
I could be wrong, but I would be highly surprised if this was the Russians. I’ve been working on the Russian active measures, hybrid warfare, and political warfare problem set since January 2014 when I was assigned, under temporary assigned control, as the Cultural Advisor/Senior Civilian Advisor to the Commanding General of US Army Europe. I have published, in Special Warfare**, which is the professional journal of the Special Warfare community***, about how the Russians have probed for vulnerabilities and weaknesses in order to target a variety of utilities and the systems that control them. Three years before my article was published, in May of 2016, I included this strategic concern in a briefing I gave at FT Bragg to a room full of American and allied general officers and senior staff that partially dealt with Russia and its geo-strategic and regional strategic ambitions. My professional assessment, given what we know now, is that it is highly unlikely that this is the Russians. I have also published, just last July, on political warfare, which included this concern. This isn’t something I’ve just started thinking about today, I’ve been considering the problem off and on for over seven years as part of my professional work.
There are several reasons why I doubt this was the Russians. The first is that right now Putin does not want to do anything to further stress Russian relations with the US. President Biden and his team are not Trump and his team. And President Biden has already made it clear to Putin that he is not going to tolerate Putin’s actions the way Trump did. The second is that since almost no one in most of Florida, let alone the rest of the US knows that Oldsmar existed, at least before today, that it is a very strange place for Putin’s merry band of mischief makers to target a water treatment facility.
I think it is far more likely that either a disgruntled current or former employee of the City of Oldsmar or of Pinellas County who knew that this point of access existed and exploited it for their own purposes. Or that a local mischief maker went probing for an access point, found one, and decided it was party time. We do have a small, but sizable white supremacist, neo-NAZI, and domestic right wing extremist presence in the area, so it is also possible one fo them did it. Frankly, I wouldn’t be surprised if we find out that an actual authorized user who was teleworking and on the system stepped away from their computer for a few minutes without logging out to get something to drink or use the facilities and their cat walking across the computer desk or their toddler wanting to help daddy or mommy work unintentionally reset the levels. I think the Russians attacking Oldsmar, Florida through a water treatment facility that only supplies Oldsmar is, in my professional opinion, a big stretch. Is it possible it was the Russians? Sure. Is it probable and plausible? I think it likely improbable and implausible.
We’ll know more when we know more. And I know enough about what I don’t know to state that I could be wrong.
* I personally blame Louis DeJoy.
** I apologize for the random capitalizations, I’m pretty sure whoever copyedited this decided these were operational terms of art and capitalized them.
*** It was nice of them to hide their professional journal in plain sight.